FortiCloud External IdP: Centralized Identity Management for Enterprise Security
.
As organizations increasingly adopt cloud-based security solutions, managing user access across multiple platforms has become a significant challenge. Fortinet addresses this challenge through its External Identity Provider (IdP) integration for FortiCloud services, allowing enterprises to leverage their existing identity infrastructure for seamless access to FortiCloud's security ecosystem. This integration enables users to log into FortiGate Cloud, FortiSASE, FortiAnalyzer Cloud, and FortiManager Cloud using their company-provided credentials via third-party SAML identity providers like Okta and Microsoft Entra ID (formerly Azure AD).
This strategic approach to identity management reflects the growing industry trend toward centralized authentication systems that reduce administrative overhead while enhancing security through standardized access controls. By implementing External IdP, organizations can streamline their security operations while maintaining the robust access governance required in today's threat landscape.
Understanding FortiCloud External IdP Integration
Core Functionality and Architecture
FortiCloud's External IdP integration operates on the SAML 2.0 protocol, an industry standard for exchanging authentication and authorization data between identity providers and service providers. When configured, the system allows external users to authenticate through their company's identity provider rather than maintaining separate FortiCloud credentials. This federated identity approach significantly reduces credential proliferation and enhances security posture by eliminating the need for users to manage multiple passwords across different security platforms.
The architecture follows a standard service provider-initiated SSO flow, where FortiCloud acts as the service provider (SP) and the customer's identity system (such as Okta or Microsoft Entra ID) serves as the identity provider (IdP). After successful authentication at the IdP, users gain access to FortiCloud services based on their assigned roles and permissions, creating a seamless bridge between organizational identity systems and Fortinet's cloud security offerings.
Key Benefits for Enterprise Organizations
Unified Authentication Experience: Employees use their existing corporate credentials to access multiple FortiCloud services without additional authentication steps or password management overhead.
Centralized Access Control: IT administrators can manage FortiCloud access alongside other enterprise applications within their existing identity management console, applying consistent policies across the organization.
Enhanced Security Posture: By eliminating separate credentials for FortiCloud services, organizations reduce attack surfaces associated with password reuse and weak authentication practices.
Simplified Onboarding and Offboarding: Employee access to FortiCloud services can be automatically provisioned and deprovisioned through established identity lifecycle management processes.
Audit and Compliance Alignment: Authentication events flow through the organization's primary identity system, creating consolidated logs that support security monitoring and compliance reporting requirements.
Implementation Process: A Step-by-Step Guide
Phase 1: Enrollment and Initial Configuration
The implementation of FortiCloud External IdP begins with an enrollment process that requires coordination with Fortinet representatives. According to official documentation, organizations must:
Contact Fortinet Sales: Initiate the process by reaching out to your Fortinet sales representative to request enrollment for external IdP services. This step is mandatory as Fortinet provides specific configuration details and an enrollment form.
Configure IdP Application: Set up a SAML application in your identity provider (Okta or Microsoft Entra ID) using temporary URLs provided during initial configuration:
- For Okta: Enter a temporary URL (such as
https://customersso1.fortinet.com/) into both the "Single sign-on URL" and "Audience URI (SP Entity ID)" fields - For Microsoft Entra ID: Enter a temporary URL for both the "Identifier (Entity ID)" and "Reply URL (Assertion Consumer Service URL)" fields
- For Okta: Enter a temporary URL (such as
Complete Enrollment Documentation: Fill out the enrollment form with essential information including company name, SAML 2.0 IdP name, FortiCloud account ID, master user email, company administrator details, and Fortinet contact information.
Share Metadata: Download the IdP Metadata file from your identity provider and submit it along with the completed enrollment form to your Fortinet representative.
Once approved, organizations receive official SAML information including specific URLs to replace the temporary values in their IdP configuration.
Phase 2: Technical Configuration
After enrollment approval, organizations must update their IdP application configuration with the specific URLs provided by Fortinet:
For Okta Configuration:
- Replace temporary URLs in the SAML Settings with Fortinet-provided values:
- Single sign-on URL → SP Login (Assertion Consumer Service ACS) URL
- Audience URI (SP Entity ID) → SP Entity ID
- Default RelayState → Portal URL (Relay State)
For Microsoft Entra ID Configuration:
- Update Basic SAML Configuration with:
- Identifier (Entity ID) → SP Entity ID
- Reply URL (Assertion Consumer Service URL) → SP Login (Assertion Consumer Service ACS) URL
- Relay State → Portal URL (Relay State)
- Logout Url → SP Logout (SLS)
The community documentation provides additional technical guidance for Microsoft Entra ID integration, particularly regarding attribute configuration. Organizations should ensure they:
- Add a "username" claim with source attribute set to "user.userprincipalname"
- Configure group claims with "Groups assigned to the application" and customize the claim name to "Role" with "Group ID" as the source attribute
Phase 3: Role Mapping and Permission Configuration
FortiCloud External IdP utilizes a role-based access control model where permissions are managed through external IdP roles. These roles allow authenticated external users to access cloud applications based on their assigned privileges within the organization's identity provider.
Critical Implementation Steps:
Group Configuration in Identity Provider: Within your enterprise application (Microsoft Entra ID or Okta), navigate to "Users and Groups" and add the appropriate groups that will access FortiCloud services. Copy the Group Object ID for each group, as this value becomes crucial for role mapping.
Permission Profile Creation: In the FortiCloud IAM portal, navigate to the "Permission Profiles" tab and select "Add New" to create permission profiles with relevant access rights to desired FortiCloud portals (FortiGate Cloud, FortiManager Cloud, etc.).
External IdP Role Mapping: Under the FortiCloud IAM portal "Users" tab, select "Add New → External IdP Role." The Role Name must exactly match the Group Object ID copied from your identity provider. This precise matching ensures proper authorization flow from group membership in the IdP to specific permissions in FortiCloud.
Phase 4: Transition Management
Fortinet emphasizes the importance of managing the transition from existing IAM or sub-users to the new External IdP authentication model. Organizations must:
Set Co-exist End Date: Configure a transition period during which both existing IAM/sub-users and new External IdP users can access the account. This allows for gradual migration and testing.
Plan for Disablement: All existing IAM and sub-users will be automatically disabled following the IdP transition period unless the co-exist date is extended. Organizations should communicate this change to affected users and ensure all necessary personnel have been migrated to the External IdP authentication method.
Test Authentication Flow: Use the Portal URL (Relay State) provided by Fortinet (typically in the format
https://customersso1.fortinet.com/saml-idp/proxy/{realm}/login/) to test the complete authentication flow before enforcing the transition.
Key Considerations and Best Practices
Scope and Limitations
Organizations should be aware of several important scope considerations when implementing FortiCloud External IdP:
Service Coverage: FortiCloud External IdP integration currently supports FortiCloud services exclusively, including FortiGate Cloud, FortiSASE, FortiAnalyzer Cloud, and FortiManager Cloud.
FortiGate Distinction: For organizations requiring SAML SSO for FortiGate devices directly, this must be configured within FortiOS separately, as FortiGate devices support native SAML SSO configuration outside the FortiCloud External IdP framework.
Logout Behavior: When External IdP users click "Logout" within FortiCloud portals, they are only logged out of the portal session, not their company's identity provider. This maintains the user's authenticated state for other enterprise applications while securing FortiCloud access.
Security and Operational Considerations
Metadata Security: The IdP Metadata file contains sensitive configuration information about your identity provider. Ensure this file is transmitted securely to Fortinet representatives using encrypted channels.
Role-Name Precision: The exact matching requirement between Group Object IDs in your identity provider and Role Names in FortiCloud demands careful documentation and verification. Even minor discrepancies will break the authorization flow.
Attribute Consistency: Ensure that user attributes (particularly username and group claims) are correctly configured in your identity provider to avoid authentication or authorization failures.
Multi-Provider Support: While official documentation focuses on Okta and Microsoft Entra ID, Fortinet notes that "multiple external identity providers are supported by FortiCloud." Organizations using other SAML-compliant IdPs should consult with Fortinet representatives about specific configuration requirements.
Testing Protocol: Implement a phased testing approach beginning with a small pilot group before expanding to all users. This allows identification and resolution of configuration issues with minimal disruption.
Frequently Asked Questions
Q1: What is the main advantage of implementing FortiCloud External IdP?
A: The primary advantage is centralized identity management that allows users to access multiple FortiCloud services using their existing corporate credentials, eliminating password fatigue while enhancing security through consistent access policies managed in a single identity provider.
Q2: How does the enrollment process work?
A: Enrollment requires contacting your Fortinet sales representative, configuring a SAML application in your identity provider with temporary URLs, completing an enrollment form with account and contact information, and sharing your IdP Metadata file with Fortinet. After approval, you'll receive specific URLs to finalize the configuration.
Q3: Can we use multiple identity providers with a single FortiCloud account?
A: The documentation doesn't explicitly address multiple identity providers for a single account. Organizations with this requirement should consult directly with Fortinet representatives to determine the supported configuration options.
Q4: What happens to existing IAM users after implementing External IdP?
A: Existing IAM and sub-users will be disabled after the transition period specified by the "co-exist end date." Organizations should ensure all necessary users are migrated to External IdP authentication before this date or extend the co-exist period as needed.
Q5: Is the External IdP configuration reversible if we encounter issues?
A: The documentation doesn't specifically address reversal procedures. However, since the co-exist period allows both authentication methods to function simultaneously, organizations could theoretically extend this period indefinitely while addressing any configuration issues.
Q6: What technical prerequisites are needed for implementation?
A: Organizations need a working SAML 2.0 identity provider (such as Okta or Microsoft Entra ID), administrative access to both their IdP and FortiCloud account, and the ability to coordinate with Fortinet representatives throughout the enrollment and configuration process.
Q7: How are permissions and access levels managed with External IdP?
A: Permissions are managed through external IdP roles in FortiCloud that map to groups in your identity provider. The Group Object ID from your IdP must exactly match the Role Name in FortiCloud, with permissions assigned to these roles determining what users can access within FortiCloud services.
Conclusion: Strategic Identity Integration for Modern Security Operations
FortiCloud External IdP represents a significant step forward in integrating cloud security platforms with enterprise identity ecosystems. By implementing this federated identity approach, organizations can achieve greater operational efficiency while strengthening their security posture through centralized access governance. The implementation process, while requiring coordination with Fortinet representatives, follows established SAML integration patterns familiar to most IT security teams.
As enterprises continue to adopt cloud-based security solutions, the ability to integrate these platforms with existing identity infrastructure becomes increasingly critical. FortiCloud External IdP addresses this need effectively, providing a pathway to unified identity management across both traditional enterprise applications and modern cloud security platforms. Organizations embarking on this implementation should prioritize careful planning, particularly around role mapping and transition management, to ensure a smooth deployment that delivers the full benefits of centralized authentication and authorization.
For organizations using FortiCloud services extensively, this integration offers tangible benefits in user experience, security administration, and compliance management—making it a worthwhile investment for security teams seeking to optimize their cloud security operations.